cvedb.io
CVE-2026-29049
MEDIUM · CVSS 4.3
EPSS exploitation probability: 0%
Published 2026-03-06T07:16:02.093 · Last modified 2026-06-17T10:29:30.467

Summary

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.

Affected products

chainguard — melange

Does this affect you?

Add your gear to cvedb and we'll alert you only when chainguard ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.